Problem/Use Case:

Protect your site from brute-force attacks by limiting login attempts.

Snippet:

// Limit login attempts
function check_login_attempts($user, $username, $password) {
    $ip = $_SERVER['REMOTE_ADDR'];
    $attempts = get_transient($ip . '_attempts') ?: 0;

    if ($attempts >= 3) {
        return new WP_Error('too_many_attempts', 'Too many login attempts. Try again in 10 minutes.');
    }

    if (is_wp_error($user)) {
        set_transient($ip . '_attempts', $attempts + 1, 10 * MINUTE_IN_SECONDS);
    }

    return $user;
}
add_filter('authenticate', 'check_login_attempts', 30, 3);

// Limit login attempts
function check_login_attempts($user, $username, $password) {
    $ip = $_SERVER['REMOTE_ADDR'];
    $attempts = get_transient($ip . '_attempts') ?: 0;

    if ($attempts >= 3) {
        return new WP_Error('too_many_attempts', 'Too many login attempts. Try again in 10 minutes.');
    }

    if (is_wp_error($user)) {
        set_transient($ip . '_attempts', $attempts + 1, 10 * MINUTE_IN_SECONDS);
    }

    return $user;
}
add_filter('authenticate', 'check_login_attempts', 30, 3);

Explanation:

Blocks login after 3 failed attempts for 10 minutes.

Where to Place It:

In functions.php.

Bonus Tip:

For advanced control, use plugins like Limit Login Attempts Reloaded.

Limit Login Attempts in WordPress with PHP

Ndifon Luke

Agency

Our Services

Resources

Ndifon Luke

You may also like

Disable the Admin Bar for Non-Admins

How To Force Strong Passwords in WordPress

Change WordPress Login Error Messages for Security

Agency

Our Services

Resources